Improving security for pkgsrc

To: tech-pkg%netbsd.org@localhost
Subject: Improving security for pkgsrc
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Sat, 18 Jul 2015 18:38:09 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

			Hi pkgsrc developers,

while looking for ways to provide binary packages for EdgeBSD users in
line with the current state of the art, I found that there are some
low-hanging fruits up for grabs:
http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=commitdiff;h=705b8
40d59ecd6834320c15d12ecdf38e133c0d7

1. Building with stack smashing protection: (SSP)

  +_GCC_CFLAGS+=  -fstack-protector

This one is already described in NetBSD's build process; for a minor
performance penalty, the compiler will have a canary checked to be
present unmodified on a the stack, thereby helping with the mitigation
of stack-based buffer overflows.

https://en.wikipedia.org/wiki/Stack-smashing_protection#GNU_Compiler_Col
lection_.28GCC.29

Also note that it can easily be applied to other compilers as well
(including clang) and that some even implement this by default (like
MSVC).

2. Building position-independent code:

  +_GCC_CFLAGS+=  -fPIC
  +_GCC_LDFLAGS+= -Wl,-pie

This helps with ASLR, randomizing the location of the .bss, .data
sections as well as the heap, instead of only the stack and mapped
memory (which I confirmed on NetBSD/amd64). There is one issue
remaining with this though: linking with libraries built with
"-Wl,-pie" seems to fail. So effectively this flag should only be
applied to executables, as is already possible in NetBSD's build
process with the MKPIE option.

https://en.wikipedia.org/wiki/ASLR
http://www.openbsd.org/papers/nycbsdcon08-pie/

3. Linking with RELRO by default:

  +_GCC_LDFLAGS+= -Wl,-z,relro

I am less familiar with this one, which OpenBSD has been advocating
for a while now:
http://undeadly.org/cgi?action=article&sid=20030126143902
(and in some slides from theo)

I think OpenBSD's changes go much farther than just using this flag,
which should however be a good step already. The point is to mitigate
exploits injecting code within the ELF GOT and PLT tables, since they
are both writable and executable. I have confirmed that the program
table for binaries built with this option does contain an additional,
read-only entry - so this option does have an impact (NetBSD/amd64) -
and the resulting binaries still work for me.


Working on integration

This commit adds all those flags to CFLAGS and LDFLAGS, iff building
on NetBSD with gcc. It enables all three improvements by default as-is
(on this platform only). This is one reason it is not suitable for
inclusion yet, and I will welcome help to achieve it.

The first concern is obviously how to make it optional. Should I use
variables like USE_FORT/USE_SSP from mk.conf for SSP, or MKPIE for PIE
for instance, like when building NetBSD? And then MKRELRO or USE_RELRO?

I will also welcome suggestions to help fix the current issue building
PIE executables.

If there are NetBSD architectures known to not be supporting these
flags, then they should also be listed here; or the other way around
if they are a majority of course.

Similarly, I can use the information from the Wikipedia page about SSP
to extend support to other compilers (and to improve it on GCC as
well). I will welcome assistance on any additional platform.

Last but not least, I have similar patches ready for NetBSD's base syste
m:
http://git.edgebsd.org/gitweb/?p=edgebsd-src.git;a=shortlog;h=refs/heads
/integration/options

Let me know if any of those look good enough for NetBSD's base system,
or if they can already be discussed there as well.

HTH,
- -- 
khorben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVqoDxAAoJEDA4y9uYhpcDjqcP/R8iSaErsv+UXlePXs36FHLi
JHHgk8AGa3MSk9EduHxVPrWWR3o+wRcwGtDTZcBZwf7b4DCfOQkGbwmdRNrdrDE4
sIe120vhSQuNDSGTWoRoBNRQ6aZAkC/StyaZdJVJ31Aiw/lF9Rxv7r6orhI79ts6
tybWf29DQ7cPR+Fzb05Aaz81qNgsbJDFEy6gsisHsr+o/ou6lPHXPHqDabwP+it9
fVBoxSiRVUc81/BuxRE37D63dKwyMPIX+nLV6VmUDJu7yc4QE+CAV/cvYh4J3pMe
ousK7u0SS5T9htW5CL6HZeXH/fKw8J6X5L5A5RR/mcy4ZUJyh7N1WlhFN/nCG6k6
P9fKO2oE045THvnAk5JI2+MEZMlCGaxpoxX0LYKvTbCU0EpTOfbOvRbrAATJUVa6
zn5SBoawPgOF6Uu7HgEbaHnVEDMx4Bt1OdvbqqlIVJimR7taD7csY+GdfPFI2MdC
HTK85CCZ34Q5XOTlTCWTu/ZsbNp2FVLaGrUtixUdc2ujv5Qj6YThGCW2G/x26bcQ
sgoGRc7rOExUcjeCenIWzxI3iMTvI2rt2euRHdVow8sLiWxNnLtcoZ/momF7i+A1
1QZtYAmTpPnt2zGJNzT3zft1myprs6LDOctqSo07BNdous3jfS/GAYFX8BC2o+R1
OKc+ymRr0ETDe5QjlJKA
=N7rq
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Improving security for pkgsrc
  - From: Pierre Pronchery
- Re: Improving security for pkgsrc
  - From: Pierre Pronchery
- Re: Improving security for pkgsrc
  - From: Joerg Sonnenberger

Prev by Date: Re: Tool to find dependencies precisely
Next by Date: Re: Improving security for pkgsrc
Previous by Thread: daily pkgsrc CVS update output
Next by Thread: Re: Improving security for pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index